This article explains how to create rewrite policy for content security headers, XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy

ADC appliances support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. 

---

Instructions

1. Create following rewrite actions for each one of the headers. Go to AppExpert > Rewrite > Actions and click Add:
 

STS Header: 

XSS Header:

XContent Header: 

Content Security :

Create Rewrite Actions using CLI :
 

add rewrite action insert_STS_header insert_http_header Strict-Transport-Security "\"max-age=157680000\""

add rewrite action rw_act_insert_XSS_header insert_http_header X-Xss-Protection "\"1; mode=block\""

add rewrite action rw_act_insert_Xcontent_header insert_http_header X-Content-Type-Options "\"nosniff\""

add rewrite action rw_act_insert_Content_security_policy insert_http_header Content-Security-Policy "\"default-src \'self\' ; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' ; style-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; img-src \'self\' data:\""

2. Create following rewrite policies and link them to the actions. Go to AppExpert > Rewrite > Policies and click Add to create policy :

Enforce STS policy with Action Insert STS Header: 



XContent Policy with Xcontent Header Action:



Content Security Policy with Action: 



XSS Header policy with Action:


Create Rewrite Policy using CLI:
 

add rewrite policy enforce_STS true insert_STS_header

add rewrite policy rw_pol_insert_XSS_header "HTTP.RES.HEADER(\"X-Xss-Protection\").EXISTS.NOT" rw_act_insert_XSS_header

add rewrite policy rw_pol_insert_XContent TRUE rw_act_insert_Xcontent_header

add rewrite policy rw_pol_insert_Content_security_policy TRUE rw_act_insert_Content_security_policy

 
3. Bind policies to vserver on Response using Goto Expression NEXT:


 

NOTE :

1. In case of SSLVPN, we need to use the below Content-Security Action :

add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy "\"default-src \'self\' ; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' ; style-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; img-src \'self\' http://localhost:* data:;\" "
 

The localhost exception is required because the browser passes the cookie/GW information to the plugin using localhost http call. Since the CSP had only “self”, only  calls to the vserver would be allowed. 

Since we pass the AAAC cookie, Gateway address etc using this : image.src = "http://localhost:"+agentPort+"/svc?NSC_AAAC="+ns_aaac+"&nsloc="+nsloc+"&nsversion=1,1,1,1&nstrace=DEBUG&nsvip=255.255.255.255";,
we need to make the changes only for img-src. This is enough for the communications with the browser and the plugin.

If localhost exception is not mentioned, we may face issues with browser stuck on the plugin download page.

2. If you happen to face issues with workspace detection on 13.0 and above with the above mentioned configuration, you may remove the "default-src" header and start the expression with "script-src \'self\

Eg: add rewrite action Rewrite_Insert_Content-Security-Policy insert_http_header Content-Security-Policy "\"script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' ; style-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; img-src \'self\' http://localhost:* data:;\" "

Some additional policies that may be added are as follows:

add rewrite action rw_act_insert_Frame_Options insert_http_header Frame-Options "\"SAME-ORIGIN\""
add rewrite policy rw_pol_insert_Frame_Options TRUE rw_act_insert_Frame_Options

add rewrite action rw_act_insert_XFrame_Options insert_http_header X-Frame-Options "\"SAME-ORIGIN\""
add rewrite policy rw_pol_insert_XFrame_Options TRUE rw_act_insert_XFrame_Options